100 TRUSTDOM - (ver %ws) - Manage Trust Links\nUsage:\ntrustdom [[domain[:dc],]target_domain[:dc]] [Options]\n\nDisplays/creates/deletes trust links with/between the specified target\ndomain(s). It can be used remotely, from another machine.\nIf a pair is specified, the link will be between the two domains.\nDefault action: '-out', that is a one-way trust is created, as follows:\n an outbound trust on the local/specified domain\n an inbound trust on the specified target domain\nExamples: \n trustdom DOMB \n one-way trust from local domain to DOMB \n trustdom DOMX,DOMY \n one-way trust from DOMX to DOMY \n trustdom SOMEDOM -list \n list trusts for domain SOMEDOM; without the domain name would mean 'local' \nArguments:\n domain/target_domain\n - Domains (flat or DNS names)\n For multiple DC domains, you can specify the DC to \n connect to in the form 'domain:dc' \nOptions: \n -list - list all trust links of the specified target domain\n (or local domain if none is specified) and exit (all other\n commands are ignored)\n -untrust - Breaks the trust\n -sidcheck - Check the sids in the specified trust link\n -verify - Verify the current domain trusts for viability\n -both - Establishes a two way trust (bidirectional)\n -out - Establishes an outbound trust [default]\n -in - Establishes an inbound trust\n Specifying '-in -out' is equivalent with '-both'\n -localonly - All operations (create/delete) are applied only for the\n trust objects on the first/local DC (use with care)\n -downlevel - Creates a downlevel trust\n -mit - Creates MIT Kerberos trust (enables 'localonly' and 'both')\n -parent - Establishes a two way parent/child trust;\n set the parent bit in the trust object on the child machine\n -pw:password - Optional password to set on the object as CLEARTEXT only.\n Use '*' to enter password in no-echo mode\n -debug - Detailed messages about operation\n -force - Force application of the settings, even if they are illegal\n or the target domain is nonexistent/nonaccessible\n e.g., setting a trust to a NT4 machine without\n specifying 'downlevel'; (use with care)\n -nt4 - force nt4 style operation even if domains are NT5\n -sidlist - list SIDs too (enables 'list' option; NT5 only)\nThe comma-separated fields displayed with the '-list/-sidlist' command:\n name of domain (if possible, the DNS name)\n direction of trust: I(nbound), O(utbound), B(idirectional)\n type of trust: T_downlevel, T_uplevel, T_mit, T_DCE\n trust attributes (as 4 separate fields; a missing attribute is replaced by _):\n A_NonTran,A_UpLevelOnly,A_TreeParent,A_TreeRoot\n sid from the trust object (if '-sidlist' is specified)\n
200 GenerateRandomSID failed: err 0x%08lx\n
210 Invalid domain name: %ws\n
300 DsGetDcName for %ws failed: 0x%08lx;
301 ...now returning Status 0x%08lx (STATUS_NO_SUCH_DOMAIN)\n
302 ...'-force' option specified; ignoring the previous DsGetDcName error\n
303 DC used for domain %ws: %ws\n
304 For a MIT trust: assuming %ws is a Unix machine...\n
305 LsaOpenPolicy on %ws failed with
306 STATUS_ACCESS_DENIED\n
307 err 0x%08lx\n
308 (local)
309 Password :
310 MIT trusts: always local only and both; enabling 'localonly' and 'both' options\n
400 GetDomainInfoForDomain for %ws: LsaQueryInformationPolicy(%ws) returned 0x%lx\n
401 Trying (Primary)...\n
403 DNSDomainName: %wZ\n
404 LsaEnumerateTrustedDomainsEx for %wZ returned 0x%08lx (%lu entries)\n
405 LsaEnumerateTrustedDomains for %wZ returned 0x%08lx (%lu entries)\n
406 NetUserEnum for %wZ returned 0x%08lx (%lu entries)\n
407 LsaCreateTrustedDomainEx on %wZ for %ws failed with 0x%lx\n
408 NetUserAdd on %ws for %ws failed: err 0x%08lx\n
409 On %ws user %ws already exists\n
410 LsaCreateTrustedDomain failed: err 0x%08lx\n
411 On %wZ there is already a trust object to %ws\n
420 LsaCreateSecret failed: err 0x%08lx\n
421 LsaSetSecret failed: err 0x%08lx\n
422 GetTrustLinks on %wZ failed: err 0x%08lx\n
423 On %wZ, no trust object to %wZ found...\n
424 LsaQueryTrustedDomainInfoByName on %wZ for %wZ failed: err 0x%08lx\n
425 LsaSetTrustedDomainInfoByName on %wZ for %wZ failed: err 0x%08lx\n
426 LsaOpenTrustedDomain failed: err 0x%08lx\n
427 DeleteTrustLinks: cannot get a nonNULL sid for the trust to %wZ\n
428 Deletion of trusted domain object on %wZ failed with 0x%lx\n
429 Secret %wZ not found. Ignoring...\n
430 LsaOpenSecret failed: err 0x%08lx\n
431 LsaDelete on secret %wZ failed: err 0x%08lx\n
432 NetUserDel for user %ws failed: err 0x%08lx\n
433 Unknown option: %s\n
434 Trust Link between domains: [%ws%ws%ws],[%ws%ws%ws]\n
435 Warning
436 Error
437 %ws: '-parent' REQUIRES '-both'\n
438 Local: Deleting trust things failed with 0x%lx\n
439 Remote: Deleting trust things failed with 0x%lx\n
440 Local: Checking trust things failed with 0x%lx\n
441 Remote: Checking trust things failed with 0x%lx\n
445 %ws: NT4 DCs REQUIRE '-downlevel'\n
446 Creating trust from %ws to %ws failed with 0x%lx\n
447 The command failed: err 0x%0lx\n
450 ...'-nt4' flag used; force NT4 style trust operation for domain %ws\n
500 -- Processing domain: %wZ...\n
501 -- Deleting on domain %wZ trust to domain %wZ...\n
502 -- Checking on domain %wZ trust to domain %wZ...\n
510 NULL sid returned by LsaQueryTrustedDomainInfoByName\n
511 LsaSetTrustedDomainInfoByName: NULL sid\n
512 #### NULL sid\n
550 Handle returned by LsaOpenTrustedDomain: 0x%08lx (Status: 0x%08lx)\n
551 Attempting deleting LSA Object with handle 0x%08lx\n
660 \nThe following trusts verfied correctly:\n
661 \nThe following trusts where invalid in the inbound direction:\n
662 \nThe following trusts where invalid in the outbound direction:\n
663 Validating trust from domain %wZ to domain %wZ\n